Denying bad DNS HELO/EHLOs
February 26, 2022 Roberto Puzzanghera 2 comments
The RFC-821 Section 3.5 states that
The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will not have to perform MX resolution on this name in order to validate the HELO parameter.
The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.
Not denying clients with a bad HELO/EHLO DNS can be also considered a wise thing, just to avoid to update too frequently our welcomelist for those clients who didn't set up their DNS properly.
On the other hand, it is a matter of fact that most spammers use fake domains -very often our own domains-, or even random strings or not solving domains, as their HELO/EHLOs.
For example, consider the following log lines (I have plenty of them in my logs):
2022-02-01 10:19:53.142643500 helo-dns-check: HELO [yq3H9cDKgS] from [109.237.103.41] doesn't solve 2022-02-01 09:53:05.772497500 helo-dns-check: HELO [sagredo.eu] is a local domain but IP [183.240.55.119] is not a RELAYCLIENT
I think that at least such kind of failures should be blocked. I'll explain below how to set up a filter which deny clients with these particular DNS failures:
- not solving
HELO/EHLOs, i.e. random strings or fake domains with noArecord at all. - fake
HELO/EHLOs containing one of our domains, when theDNSdoesn't solve to one of ourIPs andRELAYCLIENTis not defined; - clients whose
Arecord doesn't match the domain in theirHELO/EHLO. This is completely againstRFC-821, so my configuration will not refuse these connections, just log them.
We'll make use of a qmail-spp "helodnscheck" plugin that I derived from an original work of Perolo Silantico, Jason Frisvold and Ren Bing. Here is the original plugin and my one:
The logic of the original plugin is to deny clients of type 3, which of course includes types 1 and 2, but without being able to select 1 and/or 2 from the others. My modified version, instead, can ban only clients of type 1 and/or 2 or work as the original program.
Installation and configuration
I assume that you have already patched qmail with qmail-spp. If you are using my combined patch you are ok.
Download, compile and install:
cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/patches/qmail-spp/plugins/helodnscheck/helodnscheck7.c gcc -o /var/qmail/plugins/helodnscheck helodnscheck7.c -lresolv
Now enable the plugin, adding it to /var/qmail/control/smtpplugins in the [helo] section:
[helo] plugins/helodnscheck
List all your IPs inside the file control/moreipme (you should have already done this if you configured the "moreipme" patch):
1.2.3.4 5.6.7.8
Then enable qmail-spp and set up the plugin parameters to your needs. I suggest the following in your qmail-smtpd run file:
export ENABLE_SPP=1 export HELO_DNS_CHECK=PLRIV
In this way only bad HELOs of type 1 (I) and 2 (V) will be denied unless RELAYCLIENT is defined (R). All other DNS failures will pass through (P) and each of them will be logged (L).
Be aware that the HELO check can't work well on the submission port, where your IP cannot match the HELO, so you don't have to define HELO_DNS_CHECK in your qmail-submission run file.
Of course you can define HELO_DNS_CHECK via tcprules or allow a particular IP via NOHELODNSCHECK as follows:
111.222.333.444:allow, NOHELODNSCHECK="" :allow,HELO_DNS_CHECK="PLRIV"
The program's behaviour is defined in the HELO_DNS_CHECK variable:
- [default] - deny if HELO doesn't solve to a record
- P - passthrough, don't deny even when HELO doesn't solve to A record (of course, use with L and/or H)
- B - Block if TCPREMOTEIP is not contained in the solved addresses
- L - Log
- H - add Header "X-Helo-Check"
- R - if "RELAYCLIENT" is set, don't do anything
- D - Debug mode (use with L)
- V - Block if "RELAYCLIENT" is NOT set and the HELO is one of our IPs contained in control/moreipme. "localhost" will be denied as well. You don't want to use it together with B.
- I - Invalid hostname in HELO/EHLO (not solving) are denied. Using this one together with B is redundant.
The above can be combined, so BL means block & log if TCPREMOTEIP is not set.
Note: If there is no HELO/EHLO argument, it defaults to a permanent block.
qmail notes
Pay me a coffee:
LXC scripts
Other contents
Recent comments
qq_temporary_problem_(#4.3.0)
June 2, 2023 06:32
qq_temporary_problem_(#4.3.0)
June 1, 2023 21:18
qq_temporary_problem_(#4.3.0)
May 31, 2023 18:22
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:42
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:33
Thank you! for all the documentation, patches and support
May 26, 2023 08:42
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 15:25
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 07:46
See also...
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
plugins Directory not created
GoofY April 2, 2023 10:06
Howdy,
Just a minor thing, there is no '/var/qmail/plugins' directory, create with
Reply | Permalink
plugins Directory not created
Roberto Puzzanghera GoofY April 2, 2023 10:13
Thank you. I'll make that directory created at compilation time in the next release
Reply | Permalink